Processing of Windows? SYSVOL replication Failures

Off-topic: Xiao Principle, knowledge structure, check log is the wrong three magic weapon

Today, on DC1, a group Policy pair is created and linked, and the following error is reported when the client refreshes:

"Processing Group Policy failed. Windows cannot apply Group Policy object LDAP ... as shown in:

650) this.width=650; "width=" 552 "height=" 109 "title=" clip_image001 "style=" border-top-width:0px;border-right-width : 0px;border-bottom-width:0px; "alt=" clip_image001 "src=" http://img1.51cto.com/attachment/201409/30/9437529_ 1412069615sfhq.png "border=" 0 "/>

So in the client with \\domain.com access, found \\domain.com\SYSVOL\domain.com\policies below the error above the Group Policy object.

650) this.width=650; "width=" 558 "height=" 184 "title=" clip_image002 "style=" border-top-width:0px;border-right-width : 0px;border-bottom-width:0px; "alt=" clip_image002 "src=" http://img1.51cto.com/attachment/201409/30/9437529_ 1412069617e5wp.png "border=" 0 "/>

What's the matter, ping domain.com found that the address resolves to the DC2 IP, so I went to edit the DC1 of the Group Policy and found that there was this object.

650) this.width=650; "Width=" 439 "height=" "The Title=" clip_image003 "style=" border-top-width:0px;border-right-width : 0px;border-bottom-width:0px; "alt=" clip_image003 "src=" http://img1.51cto.com/attachment/201409/30/9437529_ 1412069619uuxn.png "border=" 0 "/>

As you can see here, there is a problem with SYSVOL replication (after SYSVOL is replicated through the DFSR service after win2008 ), the SYSVOL content on several domain controllers is inconsistent, because part of the Group Policy object is placed in SYSVOL. When this Group policy is applied, if access to DC2, because there is no such GPO object, will certainly be an error.

So I went into DC1, opened the Event Viewer, and found a 4012 error under "Application and service log \dfs Replication," which reads:

The DFS Replication Service has stopped replicating on the following local path folder: C:\Windows\SYSVOL\domain. The server has been disconnected from other partners for 201 days, which exceeds the time allowed by the Maxofflinetimeindays parameter (60). Therefore, DFS replication considers the data in the folder obsolete, and the server does not replicate this folder until this error is corrected. To restore replication for this folder, use the DFS Management snap-in to remove the server from the replication group, and then add it to this group. This causes the server to perform the initial synchronization task, which replaces the stale data with the most recent data in the other members of the replication group. Additional Information: Error: 9061 (the copied folder is offline for too long.) ) Replicated folder name: SYSVOL Share Replicated Folders id:ad12ebeb-2e85-4bd3-a628-29ea5535b77b Replication group name: Domain System Volume Replication group Id:b0987b25-db56-4c9e-8eb5-325597966a24 Member id:c59b6e88-fc22-4a66-b78f-c8f2f0eba70e

According to the above recommendation, is to remove the server from the replication group and then join, and copy data from other members, but it must be noted here, do not follow the above suggestions, because now the domain server DC1 above the latest data, it should be authoritative source, is the data from it to other servers, So we should manually set this DC1 as the authoritative server (i.e. the source), the steps are as follows:

Step One: Disable DFSR replication for DC1 first. Open Adsiedit.msc, navigate to Cn=sysvol subscription,cn=domain System volume,cn=dfsr-localsettings,cn=<the Server Name>,ou=domain Controllers,dc=<domain> The <the server name> here is the authoritative server to be set up, that is, DC1, which is typically the PDC emulator role server in the domain, because it has the latest SYSVOL content, and I am here. Modify the following two values Msdfsr-enabled=false means that replication is disabled Msdfsr-options=1 Step Two: Disable DFSR replication for all other domain controllers In the same location as step one, select the appropriate domain server. Msdfsr-enabled=false Step three: Make an ad copy and synchronize the above values. Step four: Start the DFSR service on the authoritative DC1 if it is not started. Step five: Enable replication of authoritative domain controllers in the same location as the first step, here is DC1. Msdfsr-enabled=true Step Six: Make AD replication again. Step Seven: Run DFSRDIAG on DC1 Pollad Step eight: Enable the DFSR service and replication on other non-authoritative domain controllers. Msdfsr-enabled=true Step nine: Run Dfsrdiag Pollad on other non-authoritative DCs.

The completion of the check log no longer errors, and then the customer runs the Group Policy update is also normal.

650) this.width=650; "width=" 525 "height=" "title=" clip_image004 "style=" border-top-width:0px;border-right-width : 0px;border-bottom-width:0px; "alt=" clip_image004 "src=" http://img1.51cto.com/attachment/201409/30/9437529_ 1412069619rzut.png "border=" 0 "/>

Attached: You can install the DFS Management tool in the Remote Server Administration tool of the feature component, then you can see the visual situation in the administrative tools, and you can run the diagnostic report.

650) this.width=650; "height=" 279 "title=" image "style=" border:0px; "alt=" image "src=" http://img1.51cto.com/ Attachment/201409/30/9437529_1412070153qloz.png "border=" 0 "/>

650) this.width=650; "height=" 421 "title=" image "style=" border:0px; "alt=" image "src=" http://img1.51cto.com/ Attachment/201409/30/9437529_1412070155tdog.png "border=" 0 "/>

This article is from "Lao Zhu's IT Infrastructure blog" blog, please be sure to keep this source http://12937895.blog.51cto.com/9437529/1559959

Processing of Windows? SYSVOL replication Failures